Syrian Electronic Army causes mayhem with Twitter, web hacks

In its latest breach of a highly trafficked website, the Syrian Electronic Army has published a database that it says contains login credentials for 1 million users of business publication Forbes.com. Forbes confirmed the attack Friday, but stopped short of saying how many credentials had been compromised. “Users’ email addresses may have been exposed,” Forbes wrote. “The passwords were encrypted, but as a precaution, we strongly encourage Forbes readers and contributors to change their passwords on our system, and encourage them to change them on other websites if they use the same password elsewhere.”

On New Year’s Day, the Syrian Electronic Army hacked Skype’s Twitter account and its official Microsoft blog, allegedly in order to warn people away from Microsoft’s email services. Today, the hackers appear to be at it again. This morning, they broke into the Microsoft News Twitter account, and now they’ve hijacked the entire Official Microsoft Blog, turning it into a giant automatic redirect to their own propaganda website.

On New Year’s Day, when many Microsoft support employees were likely on vacation, the breaches weren’t addressed immediately, but today Microsoft appears to be actively combating the threat. Today’s first tweet was rapidly deleted, as were postings to the Official Microsoft Blog.

One of the core members of the hacker collective known as the Syrian Electronic Army (SEA) is allegedly conducting a live interview via instant message right now.

The discussion with hacker “Th3Pr0” is being moderated by Matthew Keys, the former deputy social media editor at Reuters who was indicted for conspiring with members of the hacker group Anonymous (he’s denied the charges). The audience is invited to ask questions.

Yesterday, President Barack Obama posted an article on his Twitter account: “Science fair nightmare: This #climate change denier is the world’s most embarrassing dad,” he wrote. But the attached link didn’t go to his campaign site. Instead, it directed readers alternately to an apparent malware site and a propaganda video called “Syria Facing Terrorism.” It appeared that the Syrian Electronic Army had claimed another victim, all the way at the top of the US government.

But the problem didn’t seem to be a full account hack. Instead, someone had used Obama’s URL shortener to hijack the link, directing it to the video and site. Huffington Post correspondent Sam Stein quickly got a response from Obama campaign group Organizers for Action: “An account with our link shortener was hacked. [But] at no point did they have access to the Twitter handle.” Twitter has also confirmed to us that there’s no evidence the Twitter account was hacked. The tweet was up for 19 hours before the redirect was noticed, making it possible that the change happened only recently. Not long after, the link was fixed; it now sends readers to Barack Obama’s site.

As the US moves closer to a military strike against Syrian President Bashar al-Assad, the pro-Assad Syrian Electronic Army has made one of its most obvious political statements yet. Earlier today, the group successfully defaced the Marines.com recruiting website, posting a plea for service members to refuse any orders to attack Syrian government forces. “Obama is a traitor who wants to put your lives in danger to rescue al-Qaeda insurgents,” the page read earlier today, as shown in a screenshot from The Wall Street Journal. “The Syrian army should be your ally not your enemy. Refuse your orders and concentrate on the real reason every soldier joins their military, to defend their homeland.”

The SEA’s references to al-Qaeda are in line with a common refrain from al-Assad, who describes opponents of his government as terrorists. Along with the text, the page showed images of people in US military uniforms, their faces obscured by signs like “I didn’t join the Marine Corps to fight for al-Qaeda in a Syrian civil war.” Fighting in that war, however, seems more likely every day. Since an apparent nerve gas attack left nearly 1,500 dead in mid-August, blame has been largely placed on the Assad regime, though UN weapons inspectors have yet to make an official pronouncement.

The dust is still settling from yesterday’s attacks on Twitter and the New York Times, but observers have already gained valuable insight into the methods that made the hacks possible. The LA Times is reporting that the hacks originated with a phishing email sent by the Syrian Electronic Army to the CTO of MelbourneIT, the DNS registrar for both Twitter and the New York Times. The emails were convincing enough to trick one of Melbourne’s resellers into giving up login credentials, which gave the hackers a crucial opening. From there, they were able to acquire the credentials of one of MelbourneIT’s resellers, and go to work redirecting NYTimes.com visitors to the SEA’s own IP address.

A Cloudflare post went into more detail on the aftermath of the hack, in which the Times called in outside help from Google, Cloudflare and OpenDNS. The bad records entered by the hackers quickly moved upstream to Verisign, the top-level registrar for nytimes.com, which resulted in major outages and redirections. Strangely, MelbourneIT was unable to fix the registry itself, so the team went to work at every level of the DNS system, from Verisign’s top-level registry to the various servers connecting Verisign to MelbourneIT.

The Syrian Electronic Army made headlines today for attacks on the New York Times, but Twitter may have also attracted the group’s attention. In a tweet, the hackers claimed to have gained access to the DNS servers for twitter.com, along with the Huffington Post UK. Tests showed the records were indeed changed, but name servers continued to redirect to the correct IPs, and the change was most likely a result of the breach in a DNS records holding site. Multiple tests by The Verge revealed no break in the HTTPS connection to twitter.com, suggesting the IP connection was never disturbed. It therefore looks like the SEA is going after the name servers for Twitter, but hasn’t directly hacked Twitter itself.

Twitter’s image server, hosted separately at twimg.com, may be a different story. Multiple users on Twitter reported their backgrounds being changed to Syrian-themed images, and DNS records first found by security reporter Brian Krebs confirm that twimg.com was briefly redirecting to an SEA-affiliated site. The account also claimed to have brought down Twitter.co.uk, although the site still appears to be functional.

The New York Times’ website is down from what appears to be a “malicious external attack,” according to a statement posted to its Facebook page. The Atlantic Wire reports that the paper’s domain has reportedly been in and out of service since 3PM EST, when it first became unavailable. The attack is alleged to be the work of the Syrian Electronic Army (SEA), a group of hackers that claims to be promoting the Assad regime. The Times has been reporting on the recent Syrian chemical attacks, which may have attracted the SEA’s attention.

The paper’s website has been set up to redirect requests from nytimes.com to a domain operated by the SEA. While the SEA’s website was not functioning during much of the ongoing outage, Megan Hess, an editor at Mashable, reported seeing a banner for the Syrian Electronic Army overtaking the domain. Readers can sidestep the hack by heading directly to the Times’ IP address at 170.149.168.130, where it otherwise continues to function as normal.

Online vandals calling themselves the “Syrian Electronic Army” have struck again. This morning, they hijacked an article recommendations service used by major US news websites, including The Washington Post, CNN and Time. A box on the The Washington Post’s website that usually displays recommended articles from around the web instead showed text reading “Hacked by SEA.” The news outlet published an editor’s note confirming the website hijacking, and adding that it came after an employee’s Twitter account was also hijacked and used to send out Syrian Electronic Army tweets. In another article, The Washington Post said its engineers had linked the attack to Outbrain, the third-party company responsible for the recommendations boxes.

Outbrain itself quickly took to Twitter to confirm it had been hacked, but didn’t immediately name who was responsible or who was suspected. In a post on its blog, Oubtrain also said “the breach now seems to be secured.”

The Twitter account of news agency Thomson Reuters appears to have been hacked, the latest victim in a string of similar incidents at the hands of a group called the Syrian Electronic Army. All Things D points out that the account has been suspended, but not before posting a series of inflammatory cartoons (compiled by BuzzFeed) aimed at the anti-Assad Free Syrian Army, the USA, Turkey, and Lebanon.

The Thomson Reuters hack follows a several-month lull after the group attacked the Twitter accounts of news outlets including CBS, NPR, The Guardian, and even satire site The Onion. The Army has also claimed responsibility for stealing millions of Tango users’ email addresses and hacking UK broadcasting group Sky’s Android apps.

The Syrian Electronic Army, known for hacking the Twitter accounts of the Associated Press, The Guardian, and other news sources, is now claiming to have hacked the website and database of messaging app Viber. Earlier today, The Hacker News reported that Viber’s support subdomain had been defaced with a “Hacked by Syrian Electronic Army” banner and an apparent screenshot of a device database. “Dear All Viber Users [sic], the Israeli-based ‘Viber’ is spying and tracking you,” reads a message at the top. “We weren’t able to hack all Viber systems, but most of it is designed for spying and tracking.” Since then, the page has been taken down by Viber, though a copy can be found here (proceed at your own risk.)

Viber boasts 200 million users, and it’s not totally clear how much information the Syrian Electronic Army found out about them. Yesterday, the SEA said it had found “millions” of email addresses and phone numbers through messaging app Tango, and that it planned to hand them over to the Syrian government. Tango acknowledged the intrusion but downplayed the security threat, though it didn’t say what precisely had been accessed.

After hacking a number of high-profile Twitter accounts this spring, the Syrian Electronic Army (SEA) is now claiming to have stolen millions of email addresses and phone numbers from users of the messaging service Tango. In a move that could spell trouble for Syrian rebels, the SEA has announced that it will be handing the information over to its country’s government. The hack was acknowledged by Tango on Saturday, however it only noted that “some data” had been accessed.

Collin Anderson, a researcher on Iran and internet censorship, told The Verge that Tango may have been targeted due to its high profile in the region. “Everyone gets that you can’t use the telephone,” Anderson said. Because online messaging services often provide more robust security, Anderson notes that many people living under authoritarian regimes will “desperately seek out chat and video conferencing applications.” Due to bans on Skype and Viber throughout Iran, Tango has recently been subject to more attention and broader adoption.

Adding to a spate of recent infiltrations of major media outlets, the Syrian Electronic Army appears to have compromised the Twitter account for the British Sky Broadcasting Group, spreading fears that the broadcaster’s apps had been compromised in a hack. Sky denies that its Android apps — including Sky Go, Sky+, Sky Wi-Fi, and Sky News — have been compromised, but the apps in question are not currently available on the Google Play market.

According a source familiar with the matter, The Verge has learned that the Sky help team’s Twitter account had been compromised, and that tweets asking customers to uninstall their apps were made by unauthorized actors. The broadcaster is said to be currently investigating the matter.

On May 4th, a series of odd tweets went out to the 5 million or so followers of the E! News Twitter account. “Exclusive! Justin Bieber to E! online: I’m a gay,” read the first one. Then came a tweet about Angelina Jolie commenting on the Syrian revolution, another tweet about Bieber’s homosexuality, then a triumphant admission: “The Syrian Electronic Army was here! Fans of @justinbieber, you have been trolled.”

That’s a ratio of two gay jokes to one political statement, if anyone’s counting. The Syrian Electronic Army purports to be a collective of political hacktivists defending the Assad regime that has controlled the country for more than 40 years against a revolutionary movement. Researchers at HP who studied the SEA hacker collective for three months noted that it is considered one of the top 10 most skilled hacking teams in the world. Recently, the SEA has claimed responsibility for takeovers of more than a dozen prominent global media outlets, including CBS, NPR, and the BBC.

The Financial Times is the latest news organization to fall victim to the pro-Assad Syrian Electronic Army. Reuters reports that FT’s website and Twitter account were both compromised earlier this morning. The former had headlines replaced by a declaration that the SEA had successfully hacked the site, while the latter was used to post tweets attacking groups that seek to depose President Bashar Hafez al-Assad. Not long after, however, the tweets were removed and the headlines fixed, though FT has said it is still working on regaining full control.

Hackers have affiliated themselves with the Syrian Electronic Army name for years, but the group has gained visibility with a series of hacks directed at news sites. The Guardian, NPR, and The Onion have all been successfully hacked in some fashion, and a fake AP tweet briefly sent the stock market tumbling. The group generally uses phishing emails directed at members of the press, convincing them to follow a news link to a story and give up account details.

When the Syrian Electronic Army hijacked The Onion’s Twitter account earlier this week, it was tough to tell if it was merely the satirical news site making fun the handful of major news organizations who’ve been hacked recently, or if it was a genuine victim. Strangely, once The Onion began mocking itself for getting hacked, it was much more clear that, indeed, some hackers had taken over the publication’s Twitter profile. Now, The Onion’s tech team is explaining what happened.

In a post on The Onion tech team’s GitHub blog, the fake news site explains that the Syrian Electronic Army didn’t wrestle control of its Twitter account using some advanced hacker scheme. Rather, all it took was a series of phishing emails that baited Onion staffers into forking over their Google account login into, which led the Syrian Electronic Army to get the publication’s Twitter login info. Now armed with a bit of hindsight, The Onion’s tech team has offered up a few tips and is asking that you “don’t let this happen to you.” Among the suggested defense strategy is a rather simple proposal: make sure you’re “suspicious of all links that ask them to log in, regardless of the sender.”

Posting a fake story on a reputable news source’s Twitter feed can lead to momentary public panic, but what happens when you post real grievances to a fake news feed? Earlier today, readers of satirical news source The Onion began seeing strange tweets and Facebook messages on various social media accounts. “UN’s Ban Ki Moon condemns Syria for being struck by israel: ‘It was in the way of Jewish missiles,’” read one. “BREAKING: #TheOnion readership mass confusion as Syrian Electronic Army takes over. All demand a permanent column,” said another. Most included links with the shortened Onion format, but none led to real articles.

Hacks are usually easy to identify, but as the tweets unfolded over the course of an hour, it was hard to tell whether this was an actual Syrian Electronic Army attack or a meta-joke by The Onion itself. High-profile Twitter hacks have become commonplace enough that they’ve entered the site’s cultural landscape, as have endless guessing games about whether a given tweet is real or the work of hackers. Back in February, the managers of MTV and BET’s Twitter feeds pretended to hack each other’s accounts, briefly changing them to “Hacked MTV” and “BET Hacked” before coming clean. In this light, it’s easy to read The Onion’s tweets as a strange meta-exercise: a site known for satirical news pretends to be a group of fairly serious hacktivists by posting less-funny versions of its usual fake tweets.

Earlier this week Twitter sent out a memo to news outlets, suggesting ways in which they could keep their accounts safe from hackers — but the official account for E! Online appears to have been hacked nonetheless. Earlier today, the account — which goes under the handle @eonline — posted several tweets attributing false statements to Justin Bieber. The Twitter account is currently suspended.

According to retweets and images currently circulating, a later tweet from @eonline named the Syrian Electronic Army as the party responsible for the self-described troll. A group going by the same name has claimed to be behind the takeover of several other high-profile Twitter accounts and websites, including ones connected to NPR, CBS, and The Guardian. Twitter’s warning earlier this week was seen as a response to recent attacks; today’s incident just underscores the need for stricter security measures — not to mention a two-factor authentication method for Twitter itself— that much more.

Minutes after the Associated Press’s main Twitter account was hacked last month and a completely false tweet posted saying President Obama had been injured in explosions at the White House, the Dow Jones Industrial Average dropped almost 100 points. Though it quickly recovered moments later, the sudden downswing in stock prices is now being cited by one high-ranking US financial official as evidence of why there needs to be tighter regulations on high-speed trading.

Gary Gensler, chair of the US Commodity Futures Trading Commission, a government agency that regulates the futures market, brought up the false AP tweet in a meeting yesterday with industry representatives as an example of “bad actors putting out false information” into the marketplace, adding that 100 years in the future, “they will use new technology, things that will make Twitter and Facebook look old style.”

After successfully overtaking the primary Associated Press Twitter account — its highest-profile “hack” to date — the Syrian Electronic Army turned its sights on The Guardian over the weekend. The group targeted and temporarily gained access to 11 Guardian-related accounts, all of which were revealed on its website. Many of the accounts (including @GuardianBooks and @GuardianTravel) remain suspended as of today, though others seem to have been successfully recovered.

The Guardian staffer James Ball confirms that, much like in the AP attack, the SEA deployed cleverly-disguised phishing emails to carry out its most recent batch of hacks.

Anyone that follows the Associated Press on Twitter just heard “news” of an unprecedented national crisis. “Two Explosions in the White House and Barack Obama is injured,” the AP’s account tweeted moments ago. Thankfully onlookers were quick to call the tweet fake, no doubt aided by the fact that no other news agencies are reporting a dire situation at the White House. The formatting is also uncharacteristic of the style guide-enforcing AP, with a bizarre capitalization of “Explosions” and a reference to the president by his first name. The news wire has since confirmed its account has been hijacked, referring to the tweet in question as “bogus.”

But effects of the major hack — not the first to impact a news agency on Twitter — are already being felt. The Dow plummeted nearly 100 points following the worrying tweet, though stocks have largely bounced back from the dive.